Files
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

187 lines
5.7 KiB
YAML

# values-external-db.yaml
#
# When to use: production deployments that use a managed Postgres service
# (AWS RDS, Azure Database for PostgreSQL, Google Cloud SQL, Neon, Supabase)
# instead of the chart's in-cluster Postgres StatefulSet. The in-cluster
# Postgres is disabled (postgresql.enabled=false).
#
# Prerequisites:
# - A reachable managed Postgres instance with pgvector extension available
# - DB credentials provisioned (user, password, database)
# - Network reachability from the cluster (peering, private link, or public
# endpoint with TLS)
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-external-db.yaml \
# --set externalDatabase.host=your-db.example.com \
# --set externalDatabase.username=simstudio_user \
# --set externalDatabase.password="$DB_PASSWORD" \
# --set externalDatabase.database=simstudio_prod \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET"
# Global configuration
global:
imageRegistry: "ghcr.io"
# Main application
app:
enabled: true
replicaCount: 2
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
SOCKET_SERVER_URL: "https://simstudio-ws.acme.com"
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "" # Set via --set flag or external secret manager
ENCRYPTION_KEY: "" # Set via --set flag or external secret manager
INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager
CRON_SECRET: "" # Set via --set flag or external secret manager
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "" # Optional but recommended - encrypts API keys at rest
NODE_ENV: "production"
NEXT_TELEMETRY_DISABLED: "1"
# Realtime service
realtime:
enabled: true
replicaCount: 2
resources:
limits:
memory: "4Gi"
cpu: "1000m"
requests:
memory: "2Gi"
cpu: "500m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
BETTER_AUTH_SECRET: "" # Must match main app secret - set via --set flag
ALLOWED_ORIGINS: "https://simstudio.acme.com"
NODE_ENV: "production"
# Database migrations
migrations:
enabled: true
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# Disable internal PostgreSQL
postgresql:
enabled: false
# Configure external database connection
externalDatabase:
enabled: true
# Database connection details (REQUIRED - configure for your external database)
host: "" # Database hostname (e.g., "postgres.acme.com" or RDS endpoint)
port: 5432
username: "" # Database username (e.g., "simstudio_user")
password: "" # Database password - set via --set flag or external secret
database: "" # Database name (e.g., "simstudio_production")
# SSL mode for database connections (recommended: 'require' for production)
sslMode: "require" # Options: disable, allow, prefer, require, verify-ca, verify-full
# Ollama (optional for AI models)
ollama:
enabled: false
# Ingress configuration
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
app:
host: simstudio.acme.com
paths:
- path: /
pathType: Prefix
realtime:
host: simstudio-ws.acme.com
paths:
- path: /
pathType: Prefix
tls:
enabled: true
secretName: simstudio-tls-secret
# Production-ready features (autoscaling, monitoring, etc.)
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 20
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
podDisruptionBudget:
enabled: true
minAvailable: null
maxUnavailable: 1
unhealthyPodEvictionPolicy: AlwaysAllow
monitoring:
serviceMonitor:
enabled: true
labels:
monitoring: "prometheus"
interval: 15s
networkPolicy:
enabled: true
# Custom egress rules to allow database connectivity to an external DB.
# The chart's app/realtime NetworkPolicies already permit egress to
# `postgresql.service.targetPort` when `postgresql.enabled=true`. For an
# external DB on a different port (or off-cluster), append to extraRules.
egress:
extraRules:
- to: []
ports:
- protocol: TCP
port: 5432
# Example deployment command with secure secret generation:
# helm install sim ./helm/sim \
# --values ./helm/sim/examples/values-external-db.yaml \
# --set externalDatabase.host="your-db-host.com" \
# --set externalDatabase.username="your-db-user" \
# --set externalDatabase.password="your-db-password" \
# --set externalDatabase.database="your-db-name" \
# --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
# --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \
# --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
# --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \
# --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
# --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"